{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32587", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:57.709Z", "datePublished": "2026-03-16T15:30:04.835Z", "dateUpdated": "2026-04-01T16:00:46.058Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-easy-pay", "product": "WP EasyPay", "vendor": "Saad Iqbal", "versions": [{"changes": [{"at": "4.2.12", "status": "unaffected"}], "lessThanOrEqual": "4.2.11", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:43:34.906Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Saad Iqbal WP EasyPay wp-easy-pay allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP EasyPay: from n/a through <= 4.2.11.</p>"}], "value": "Missing Authorization vulnerability in Saad Iqbal WP EasyPay wp-easy-pay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP EasyPay: from n/a through <= 4.2.11."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T16:00:46.058Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-easy-pay/vulnerability/wordpress-wp-easypay-plugin-4-2-11-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP EasyPay plugin <= 4.2.11 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T15:50:04.237089Z", "id": "CVE-2026-32587", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T15:50:18.350Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32587", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T15:50:04.237089Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T15:50:08.152Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress WP EasyPay plugin <= 4.2.11 - Broken Access Control vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Saad Iqbal", "product": "WP EasyPay", "versions": [{"status": "affected", "changes": [{"at": "4.2.12", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "4.2.11"}], "packageName": "wp-easy-pay", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress WP EasyPay Plugin to the latest available version (at least 4.2.12).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress WP EasyPay Plugin to the latest available version (at least 4.2.12).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/wp-easy-pay/vulnerability/wordpress-wp-easypay-plugin-4-2-11-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Saad Iqbal WP EasyPay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP EasyPay: from n/a through 4.2.11.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Saad Iqbal WP EasyPay allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP EasyPay: from n/a through 4.2.11.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-16T15:30:04.835Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32587", "state": "PUBLISHED", "dateUpdated": "2026-03-16T15:50:18.350Z", "dateReserved": "2026-03-12T11:12:57.709Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-16T15:30:04.835Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Saad Iqbal WP EasyPay wp-easy-pay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP EasyPay: from n/a through <= 4.2.11."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Saad Iqbal WP EasyPay permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WP EasyPay: desde n/a hasta 4.2.11."}], "id": "CVE-2026-32587", "lastModified": "2026-04-01T17:28:39.377", "metrics": {}, "published": "2026-03-16T16:16:15.740", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-easy-pay/vulnerability/wordpress-wp-easypay-plugin-4-2-11-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.11]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP EasyPay", "source": "cna", "vendor": "Saad Iqbal"}, "product": "wp_easypay", "vendor": "saad_iqbal"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-17T11:36:53.830758+00:00", "value": {"mitigation_remediation": ["Update WP EasyPay to version 4.2.12 or later", "If an immediate update is not possible, disable or remove the plugin from the WordPress installation until a patch is applied", "Monitor the plugin developer\u2019s website and WordPress security advisories for further updates and guidance"], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected systems are installations of the WP EasyPay plugin by Saad Iqbal with versions ranging from the earliest available down through 4.2.11. Users running any version of the plugin equal to or older than 4.2.11 are at risk.", "description_and_impact": "This vulnerability is a missing authorization condition that allows attackers to exploit incorrectly configured access control security levels within the WordPress WP EasyPay plugin. The primary impact is that an attacker can gain unauthorized permissions, potentially allowing them to perform privileged actions that should be restricted to legitimate users. The weakness corresponds to CWE-862, indicating the absence of sufficient authorization checks.", "risk_and_exploitability": "The CVSS score is 5.4, indicating a moderate severity vulnerability. An exploit is likely to be available through the web interface of the host WordPress site; the attack vector is inferred to be remote due to the web-based nature of the plugin, though the exact vector is not explicitly stated in the data. EPSS information is not provided and the vulnerability is not listed in the CISA KEV catalog, implying no confirmed widespread exploitation at the time of reporting."}}}}, "created": "2026-03-17T09:52:39.534407+00:00", "updated": "2026-03-24T10:50:21.871515+00:00", "vendors": ["saad_iqbal", "saad_iqbal$PRODUCT$wp_easypay", "wordpress", "wordpress$PRODUCT$wordpress"]}